Discussion:
Problem in establishing IPSEC VPN
Mujeeb Sarwar
2006-06-10 05:42:06 UTC
Permalink
Dear Group,
I have two Cisco 837 Routers connected point to point using IPoA and I have
implemented IPSEC VPN between these routers.Now the problem I am facing is
that sometimes IPSec tunnel does not establish and I have to clear SA
counters after that it works but sometimes it does not work and a
message appear on console i.e

00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
invalid sp
i for
destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867), srcaddr=
10.1.1.1

Router A :
int ATM 0.1
ip address 10.1.1.1 255.255.255.252

Router B :
int ATM 0.1
ip address 10.1.1.2 255.255.255.252


Regards,
Mujeeb Sarwar
--
This is the SANOG (http://www.sanog.org/) mailing list.
Zaeem Arshad
2006-06-10 06:12:29 UTC
Permalink
Post by Mujeeb Sarwar
Dear Group,
I have two Cisco 837 Routers connected point to point using IPoA and I have
implemented IPSEC VPN between these routers.Now the problem I am facing is
that sometimes IPSec tunnel does not establish and I have to clear SA
counters after that it works but sometimes it does not work and a
message appear on console i.e
00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
invalid sp
i for
destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867), srcaddr=
10.1.1.1
int ATM 0.1
ip address 10.1.1.1 255.255.255.252
int ATM 0.1
ip address 10.1.1.2 255.255.255.252
Regards,
Mujeeb Sarwar
Check if the link is stable. Normally SPI errors occur when one of the
peer dies and loses its IKE SA. Check for interface flaps/errors. You
can also enable SPI recovery feature if your IOS supports it.

-Zaeem
--
This is the SANOG (http://www.sanog.org/) mailing list.
Mujeeb Sarwar
2006-06-10 06:31:03 UTC
Permalink
Dear Zaeem,
Thanks for your reply , yes link is stable and there is no flapping. One
thing I want to inform that the SA lifetime is set to default on both peers
i.e 86400 sec and the interesting traffic for initiating IPSEC tunnel
defined in access list are the Statically NATed hosts on both sites.


Regards,
Mujeeb Sarwar
Post by Mujeeb Sarwar
Dear Group,
I have two Cisco 837 Routers connected point to point using IPoA and I have
implemented IPSEC VPN between these routers.Now the problem I am facing is
that sometimes IPSec tunnel does not establish and I have to clear SA
counters after that it works but sometimes it does not work and a
message appear on console i.e
00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
invalid sp
i for
destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867), srcaddr=10.1.1.1
int ATM 0.1
ip address 10.1.1.1
255.255.255.252
int ATM 0.1
ip address 10.1.1.2
255.255.255.252
Regards,
Mujeeb Sarwar
Check if the link is stable. Normally SPI errors occur when one of the
peer dies and loses its IKE SA. Check for interface flaps/errors. You can
also enable SPI recovery feature if your IOS supports it.
-Zaeem
--
This is the SANOG (http://www.sanog.org/) mailing list.
Zaeem Arshad
2006-06-10 07:06:37 UTC
Permalink
Post by Mujeeb Sarwar
Dear Zaeem,
Thanks for your reply , yes link is stable and there is no
flapping. One thing I want to inform that the SA lifetime is set to
default on both peers i.e 86400 sec and the interesting traffic for
initiating IPSEC tunnel defined in access list are the Statically
NATed hosts on both sites.
Regards,
Mujeeb Sarwar
Dear Group,
I have two Cisco 837 Routers connected point to point using IPoA and I have
implemented IPSEC VPN between these routers.Now the problem I am facing is
that sometimes IPSec tunnel does not establish and I have to clear SA
counters after that it works but sometimes it does not work and a
message appear on console i.e
00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
invalid sp
i for
destaddr=10.1.1.2 <http://10.1.1.2/>, prot=50, spi=0x6360ABFB(1667279867), srcaddr=
10.1.1.1 <http://10.1.1.1/>
int ATM 0.1
ip address 10.1.1.1 <http://10.1.1.1/>
255.255.255.252 <http://255.255.255.252/>
int ATM 0.1
ip address 10.1.1.2 <http://10.1.1.2/>
255.255.255.252 <http://255.255.255.252/>
Regards,
Mujeeb Sarwar
Check if the link is stable. Normally SPI errors occur when one of
the peer dies and loses its IKE SA. Check for interface
flaps/errors. You can also enable SPI recovery feature if your IOS
supports it.
-Zaeem
Enable SPI recovery and see if it helps. Post your config as well.

PS: No need to CC me. I am on the mailing list. :)


-Zaeem
--
This is the SANOG (http://www.sanog.org/) mailing list.
Mujeeb Sarwar
2006-06-10 09:40:02 UTC
Permalink
Here is the configuration,
Router B

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ****** address 10.1.1.1
!
!
crypto ipsec transform-set test esp-des esp-md5-hmac
!
crypto map swift 10 ipsec-isakmp
set peer 10.1.1.1
set security-association lifetime seconds 86400
set transform-set test
match address 100
!
interface Ethernet0
ip address 192.168.10.254 255.255.0.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 10.1.1.2 255.255.255.252
ip nat outside
pvc 0/35
protocol ip 10.1.1.1
!
crypto map test

!
ip nat inside source static 192.168.10.1 172.19.1.2 extendable
ip nat inside source static 192.168.10.246 172.19.1.3 extendable
ip nat inside source static 192.168.10.247 172.19.1.4 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1

access-list 100 permit ip 172.19.0.0 0.0.255.255 172.18.0.0 0.0.255.255


Router A


crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ****** address 10.1.1.2
!
!
crypto ipsec transform-set test esp-des esp-md5-hmac
!
crypto map swift 10 ipsec-isakmp
set peer 10.1.1.2
set security-association lifetime seconds 86400
set transform-set test
match address 100
!
interface Ethernet0
ip address 192.168.10.254 255.255.0.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 10.1.1.1 255.255.255.252
ip nat outside
pvc 0/35
protocol ip 10.1.1.2
!
crypto map test


ip nat inside source static 192.168.10.1 172.18.1.2 extendable
ip nat inside source static 192.168.10.246 172.18.1.3 extendable
ip nat inside source static 192.168.10.247 172.18.1.4 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1

access-list 100 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255

Regards,

Mujeeb
Post by Mujeeb Sarwar
Dear Zaeem,
Thanks for your reply , yes link is stable and there is no flapping. One
thing I want to inform that the SA lifetime is set to default on both peers
i.e 86400 sec and the interesting traffic for initiating IPSEC tunnel
defined in access list are the Statically NATed hosts on both sites.
Regards,
Mujeeb Sarwar
Post by Mujeeb Sarwar
Dear Group,
I have two Cisco 837 Routers connected point to point using IPoA and I have
implemented IPSEC VPN between these routers.Now the problem I am facing is
that sometimes IPSec tunnel does not establish and I have to clear SA
counters after that it works but sometimes it does not work and a
message appear on console i.e
00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
invalid sp
i for
destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867), srcaddr=10.1.1.1
int ATM 0.1
ip address 10.1.1.1
255.255.255.252
int ATM 0.1
ip address 10.1.1.2
255.255.255.252
Regards,
Mujeeb Sarwar
Check if the link is stable. Normally SPI errors occur when one of the
peer dies and loses its IKE SA. Check for interface flaps/errors. You can
also enable SPI recovery feature if your IOS supports it.
-Zaeem
Enable SPI recovery and see if it helps. Post your config as well.
PS: No need to CC me. I am on the mailing list. :)
-Zaeem
--
This is the SANOG (http://www.sanog.org/) mailing list.
Loading...